passive dns collection and analysis
play

Passive DNS Collection and Analysis The 'dnstap' (& fstrm) - PowerPoint PPT Presentation

Aug 14, 2023 •6 likes •196 views

Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc. December 2014 Importance of Measuring DNS High volume low latency datagram protocol Channel 202; 40 sources; 1,657,398,226,932 bytes/day;

  1. Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc. December 2014

  2. Importance of Measuring DNS • High volume low latency datagram protocol – Channel 202; 40 sources; 1,657,398,226,932 bytes/day; 153.463 Mbit/sec average rate. #1: 1,003,803,989,532 bytes, 97 sources (60%) #2: 272,389,753,714 bytes, 152 sources (16%) #3: 227,311,932,135 bytes, 54 sources (13%) • Enables almost all other network flows – A, AAAA, MX, NS, SRV records • Traffic analysis: NetFlow vs. DNS – NetFlow tells you “what” – DNS tells you “why” (and “how”)

  3. Challenges of Measuring DNS • Historically, turning on logging in a DNS server slows it down to the speed of the file system – Operationally, measurement loss is always better • So, success in DNS measurement has come from an asynchronous approach – BPF/pcap – NCAP (2006) – looked for authoritative responses, reassembling UDP datagrams as necessary (EDNS) – NMSG (2010) – like NCAP but has to see requests also, and then logs complete DNS transactions

  4. Passive DNS Data Flow Authority other Servers analysts Farsight SIE and other Recursive DNS Servers Cache applications Farsight PII DNSDB Stub Resolvers

  5. Problems with NCAP/NMSG • Blind to off-wire events like cache expiry due to DNS TTL, cache purge due to LRU • Meaning is not tagged – NMSG receiver has to impute (“guess”) stub vs. cache miss query type, as well as transaction bailiwick • Currently blind to TCP/53 – noting that there can be many transactions per TCP/53 session

  6. Overload Handling Still Matters loss region Diagram courtesy of Van Jacobson, 1995

  7. Enter ‘ dnstap ’ (DNS Tap) & ‘ fstrm ’ (Frame Streams) • ‘ dnstap ’ is server -embedded • ‘ fstrm ’ has reliable front -loss • Implementation has begun • Deployment is commencing

  8. ‘ dnstap ’ – Server-Embedded • ‘ dnstap ’ messages are generated from within DNS implementations, via instrumentation – No UDP fragment or TCP stream reassembly – No guessing the transaction bailiwick – No matching of on-wire queries with responses – No imputing stub vs. cache-miss query • Encoded using Google Protocol Buffers – Fast, lean, open, high quality, de-facto standard

  9. 'dnstap' – Perspectives • Messages can be annotated with off-wire information, e.g.: – Identity of the server, similar to NSID (for anycast) • Messages are tightly bound to the role of the protocol agent who generates them – RESOLVER_QUERY and AUTH_QUERY are distinct in ‘ dnstap ’ but identical in BPF/ pcap • ‘ dnstap ’ is for observation not eavesdropping – Its use proves that an endpoint is cooperating

  10. ‘ fstrm ’ – Reliable Front-Loss • TCP protocol vs. “BSD Sockets API” – Nonblocking UDP socket rejects full datagrams – Nonblocking TCP socket rejects overflow octets • Which breaks framing unless sender keeps state • Solution: ‘ fstrm ’ writer thread – Lockless SP/SC ring buffer – ‘ fstrm ’ socket is blocking, so, thread can block – Reliable front-loss occurs when a ring buffer fills

  11. ‘ dnstap ’ / ‘ fstrm ’ Architecture

  12. ‘ dnstap ’ – Message Types • Present: • Prospective: – Stub {Query, Response} – RRL bucket {Start, End} – Authoritative {Q, R} – Zone transfer in {S, E} – Resolver {Q, R} – Zone transfer out {S, E} – Client {Q, R} – Cache purge (LRU) – Forwarder {Q, R} – Cache expiry (TTL)

  15. Licensing/Packaging • Using Apache Open Source License V2.0 – We loved BSD/ISC license, but AOSL2 is “better” • Protocol, reference API, reference toolset – Working now in Unbound, Knot; BIND is next • Our commercial interest is: wide adoption – So, it’s all on GitHub (see http://dnstap.info/) • We intend to patch all F/L/OSS DNS servers – Eventually this should pressure Nominum and Microsoft to join the ‘ dnstap ’ ecosystem

  16. Context of DNS Measurements • Farsight SIE – Security Information Exchange – Commoditize security-relevant Internet telemetry – Channels for Passive DNS (raw, dedup’d , chaff, etc) • Filtered output goes into DNSDB – Hierarchical MTBL (Google Sorted String Tables) – Contains all of SIE’s DNS since June 2010 – RESTful API with JSON output • SIE and DNSDB are cash-free for nonprofit research/academia (pay us in data of like kind)

  17. Passive DNS, SIE, DNSDB – Context

  18. Demonstration • DNSDB API – online dnsdb_query tool • SRA – SIE Remote Access • NOD – Newly Observed Domains

  19. Summary • Passive DNS collection (NCAP, NMSG, ‘ dnstap ’) • Worked example: DNSDB, SRA, NOD • More Information: – http://dnstap.info/ – https://dnsdb.info/ – https://api.dnsdb.info/ – http://github.com/farsightsec – http://dnsrpz.info/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using Passive Data Collection, System-to-System Data Collection, and Machine Learning to Improve

Using Passive Data Collection, System-to-System Data Collection, and Machine Learning to Improve

Using Passive Data Collection, System-to-System Data Collection, and Machine Learning to Improve Economic Surveys Brian Dumbacher Demetria Hanna U.S. Census Bureau Disclaimer: Any views expressed are those of the authors and not necessarily

746 views • 25 slides
Digital Tachograph Data Collection & Analysis System 1 Outline Data Collection

Digital Tachograph Data Collection & Analysis System 1 Outline Data Collection

Digital Tachograph Data Collection & Analysis System 1 Outline Data Collection takograf.tobb.org.tr Kiosk Data Storage Data Analysis Control Panel Displaying Data and Breaches 2 Data Collection And Analysis

234 views • 19 slides
Digital Tachograph Data Collection & Analysis System 1 Outline Data Collection

Digital Tachograph Data Collection & Analysis System 1 Outline Data Collection

Digital Tachograph Data Collection & Analysis System 1 Outline Data Collection staumanaliz.tobb.org.tr Data Upload Kiosks Data Storage Data Analysis Control Panel Display of Data and Analysis Results 2 Data

127 views • 10 slides
Passive House Report 2016 (From the Standardto the new Analisys Software Tools) Laia -

Passive House Report 2016 (From the Standardto the new Analisys Software Tools) Laia -

Passive House Report 2016 (From the Standardto the new Analisys Software Tools) Laia - Tuixent Morg Monne UPC University 23.06.2016 PASSIVE HOUSE ANALYSIS INDEX 1. BIOCLIMATIC DESIGN CLIMATE ANALYSIS _______________________________ (1)

1.76k views • 127 slides
Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
Sunglasses SM001 Collection SM005 Collection YPC001 Collection(swimming goggles) SR001

Sunglasses SM001 Collection SM005 Collection YPC001 Collection(swimming goggles) SR001

Sunglasses SM001 Collection SM005 Collection YPC001 Collection(swimming goggles) SR001 Collection SR002 Collection SR003 Collection SR004 Collection Optical-Anti blue glasses FU006 Collection FU002Collection FU004 Collection FU001

186 views • 17 slides
Quarter ended 30 th June 2018 1 1 2 3 Sales and Performance Collection Asset Analysis

Quarter ended 30 th June 2018 1 1 2 3 Sales and Performance Collection Asset Analysis

Board Presentation dated 17 th July 2018 Quarter ended 30 th June 2018 1 1 2 3 Sales and Performance Collection Asset Analysis Analysis Analysis 4 5 6 Management Liability Analysis Discussion & Analysis 5 Quarters Analysis BLUE

356 views • 33 slides
EAST Collection Analysis Rick Lugg & Ruth Fischer Sustainable Collection Services/OCLC

EAST Collection Analysis Rick Lugg & Ruth Fischer Sustainable Collection Services/OCLC

Brandeis University / June 22, 2015 EAST Collection Analysis Rick Lugg & Ruth Fischer Sustainable Collection Services/OCLC Davidson College, January 2008 2 3 Sustainablecollections.co m Deselection: A Range of Options

797 views • 46 slides
Laplace Transforms Circuit Analysis Passive element equivalents Review of ECE 221 methods

Laplace Transforms Circuit Analysis Passive element equivalents Review of ECE 221 methods

Laplace Transforms Circuit Analysis Passive element equivalents Review of ECE 221 methods in s domain Many examples J. McNames Portland State University ECE 222 Laplace Circuits Ver. 1.63 1 Example 1: Circuit Analysis We can use

645 views • 48 slides
Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference

Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference

Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning Milad Nasr 1 , Reza Shokri 2 , Amir Houmansadr 1 1 University of Massachusetts Amherst, 2 National

568 views • 29 slides
What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive voice? Active Voice In an active sentence, the subject performs the action (the verb) to the object . Passive Voice In a passive sentence, the thing

610 views • 14 slides
Rendezvous Mission Risk Reduction Through Passive Safety Analysis 35 th Space Symposium McClain

Rendezvous Mission Risk Reduction Through Passive Safety Analysis 35 th Space Symposium McClain

Rendezvous Mission Risk Reduction Through Passive Safety Analysis 35 th Space Symposium McClain Goggin Space Flight Projects Laboratory April 2018 Introduction Collision Probability Trade Study Results Conclusion Appendix Outline

689 views • 30 slides
Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the movement of ions and other molecules across cell membranes without the need of energy input (ATP) Ions or molecules move from an area of higher

650 views • 33 slides
Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St Sauver, Scientist 1 Agenda Introduction Passive DNS, Including Times When Passive DNS May Not Work Well Overcoming Obfuscation Pillz

962 views • 47 slides
The DNS as a directory for identities ICANN DNS Symposium 2018, Montreal Vittorio Bertola

The DNS as a directory for identities ICANN DNS Symposium 2018, Montreal Vittorio Bertola

The DNS as a directory for identities ICANN DNS Symposium 2018, Montreal Vittorio Bertola <vittorio.bertola@open-xchange.com> 1 Premise: We need proper online identities Traditionally, we only had accounts And they were not

302 views • 18 slides
DNS Observatory: The Big Picture of the DNS Pawe Foremski Oliver Gasser Giovane C. M. Moura

DNS Observatory: The Big Picture of the DNS Pawe Foremski Oliver Gasser Giovane C. M. Moura

DNS Observatory: The Big Picture of the DNS Pawe Foremski Oliver Gasser Giovane C. M. Moura Farsight Security / IITiS PAN Technical University of Munich SIDN Labs / TU Delft pjf@fsi.io gasser@net.in.tum.de giovane.moura@sidn.nl ACM IMC

1.33k views • 29 slides
CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall

CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall

CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013 The Domain Name System Virtually every application uses Root the Domain Name System (DNS). DNS database maps: edu mil ru Name to

923 views • 47 slides
ECE 650 Systems Programming & Engineering Spring 2018 Dynamic Host Configuration Protocol

ECE 650 Systems Programming & Engineering Spring 2018 Dynamic Host Configuration Protocol

ECE 650 Systems Programming & Engineering Spring 2018 Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Dynamic Host Configuration Protocol

722 views • 25 slides
Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src &

Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src &

Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src & dst ports + Network src & dst IP addresses + message M Application src & dst MAC addresses Link segment H T M Transport datagram H N

354 views • 6 slides
Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke Tian, Steve T.K. Jan , Hang Hu, Danfeng Yao, Gang Wang Computer Science, Virginia Tech Phishing is a Big Th Threat Phishing: fraudulent attempt

411 views • 30 slides
Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao and MinYang Presenter: Zhou Li (UC Irvine EECS) 1 DNS Resolution

496 views • 34 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

1 The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit Eindhoven 2 The Domain Name System tue.nl wants to see http://www.ru.nl . Browser at tue.nl The web

1.39k views • 124 slides

More recommend